Sophisticated SharePoint Phishing Campaigns Exploiting Trust and Identity Verification 

Over the past week, our SOC has detected a sharp increase in phishing campaigns leveraging Microsoft SharePoint. These attacks are not only technically sophisticated but also psychologically manipulative, leveraging familiar identities and legitimate-looking processes to deceive even cautious users. 

What’s particularly concerning is that some of the compromised accounts used in these campaigns belong to individuals our clients had previously engaged with. We’ve seen that this exploitation of trust significantly increases the success rate of the phishing attempts, as recipients were more likely to engage with the content from known contacts. 

The phishing strategy observed follows a multi-layered approach designed to bypass security controls and manipulate user trust: 

• Initial Contact from a trusted source: Victims receive emails from compromised Microsoft accounts, often belonging to known business contacts. These emails contain links to PDF files hosted on the sender’s personal SharePoint or OneDrive. 
• Identity Gated Access: Upon clicking the link, users are prompted to verify their identity. The user can only proceed if the email address matches the intended recipient, creating a false sense of exclusivity and legitimacy. After entering their credentials, users receive an authentic Microsoft validation code sent to their email. This reinforces the illusion that the process is secure and sanctioned by Microsoft. 
• Credential Harvesting: Once the validation code is entered and the user accesses the page, a link in a document will redirect the users to fake Microsoft login pages, which will then harvest sensitive information. 
• Persistence Tactics: Post-compromise, attacker may add hidden MFA methods and even create inbox rules to hide their activity. 

To combat this threat, organisations can use advanced threat protection tools that inspect links and attachments, even from trusted domains.  

Treat all external context as untrusted by default, and restrict external sharing in Microsoft 365, and enforce expiration on shared links. 

Use User and Entity Behaviour Analytics (UEBA) to detect unusual login patterns, file sharing or inbox rule creation. 

Enforce MFA for all users, including external collaborators, and use conditional access policies to challenge high-risk logins. 

Immediate remediation steps should be taken, including resetting the user’s password, removing MFA additions, resetting user’s MFA, removing current sessions, blocking URLs, and deleting the phishing emails.  

At the forefront of any defence still remains user education. Train users to verify unexpected emails, even from known contacts. Encourage reporting of suspicious SharePoint or OneDrive links. 

Blending technical evasion with social engineering to exploit trust and familiarity, we can see that threat actors are continuously refining their tactics, leading to organisations needing a combination of proactive detection, user education, and strict access controls to stay ahead of these threats.